MyCareer.com.au

The criminal element

Educate. Collaborate. Authenticate. These are the anchor points to the defensive parameter Australia’s banking community has erected against the emerging threats to their Internet franchise. After their dot-com fuelled rush to develop sales channels online, the banks now find themselves retrofitting security in an environment where they do not control the weakest link – the customer interface.

In turn that has plunged them into an arms race against an asynchronous threat that resides in a virtual world largely beyond any local jurisdiction.

“At the end of the day, we are talking about an emerging crime type and you have to do your utmost to try and keep ahead of the game. Criminals are developing new and different technologies to perpetrate basically the same old crime types,” says Mike Phelan, acting director of the Australian High Tech Crime Centre (AHTCC).

“That means we have to continually develop our repertoire of preventative measures to attack them back.”

It remains unclear exactly how well the banks are coping. Some, like Meta Group’s Michael Warrilow say the answer is unknowable in the absence of any metrics about the scale of loss.

Bankers MIS spoke to acknowledged the theft of funds but said the amounts were small, and still significantly less than those from other forms of fraud. But what scares them all is the potential.

Already, take-up rates for online banking are declining and security concerns are being blamed.

The most common view from within the banking security fraternity – none of whom will speak on the record – is that, at best, the banks are treading water.

This view holds that they are only just keeping pace with a threat that is both gathering speed and evolving towards disturbing virulence.

The most pessimistic assessment, and it’s a minority view, is that the franchise is failing. Those with this opinion suggest the current overriding focus by banks on access control ignores the emerging threat from identity theft and the damage these twin assaults will Educate. Collaborate. Authenticate. These are the anchor points to the defensive parameter Australia’s banking community has erected against the emerging threats to their Internet franchise. After their dot-com fuelled rush to develop sales channels online, the banks now find themselves retrofitting security in an environment where they do not control the weakest link – the customer interface.

In turn that has plunged them into an arms race against an asynchronous threat that resides in a virtual world largely beyond any local jurisdiction.

“At the end of the day, we are talking about an emerging crime type and you have to do your utmost to try and keep ahead of the game. Criminals are developing new and different technologies to perpetrate basically the same old crime types,” says Mike Phelan, acting director of the Australian High Tech Crime Centre (AHTCC).

“That means we have to continually develop our repertoire of preventative measures to attack them back.”

It remains unclear exactly how well the banks are coping. Some, like Meta Group’s Michael Warrilow say the answer is unknowable in the absence of any metrics about the scale of loss.

Bankers MIS spoke to acknowledged the theft of funds but said the amounts were small, and still significantly less than those from other forms of fraud. But what scares them all is the potential.

Already, take-up rates for online banking are declining and security concerns are being blamed.

The most common view from within the banking security fraternity – none of whom will speak on the record – is that, at best, the banks are treading water.

This view holds that they are only just keeping pace with a threat that is both gathering speed and evolving towards disturbing virulence.

The most pessimistic assessment, and it’s a minority view, is that the franchise is failing. Those with this opinion suggest the current overriding focus by banks on access control ignores the emerging threat from identity theft and the damage these twin assaults will deliver to banking’s most fundamental asset – trust.

Sophisticated scamsPeter Bottomley is the National Australia Bank’s manager of Internet banking. The NAB’s Internet business is currently adding about 4,000 new online registrations a week and processing about 12 million transactions a month.

“The complexity of the threat has certainly changed over the past 12 months, as has the sophistication. If you look at the early phishing sites, the grammar was appalling, and some of the screens that they built were not very clever,” he says.

“But that is now changing. Their screens are a lot more convincing. They have started cutting and pasting from our own Web sites and if you don’t look into it closely, it all looks terribly genuine.”

A recent scam targetting the NAB even included a hotline number to call for information about Internet security threats. When Bottomley rang the number and listened in, he eventually realised the syndicate behind the phish had simply copied the interactive voice system recordings from rival Westpac to add to the authenticity of the sting.

It is not just presentation skills that have improved. Early phishing scams sought to entice their victims to willingly enter their login details at a spoof site. Now, according to Bottomley, the banks increasingly see the blending of spam and spyware with e-mails being used to deliver malicious payloads of Trojans and key loggers.

Robert Lowe, computer security analyst at the Australian Computer Emergency Response Team (AusCERT) based at the University of Queensland confirms this. He describes the current threat posed by Trojans as insidious, rather than aggressive.

“This usually involves the victim being enticed to a malicious Web site, generally by a spam e-mail, and then exploiting weaknesses in the operating system and/or Web browser to download and install a program without the user’s knowledge. The programs then log this information to a remote Web site or send it to attackers via e-mail,” says Lowe.

The past few months have seen the threat ratchet up another level with hackers now able to deliver the payloads directly without recourse to e-mail. The early examples of this technique did not target online banking, but it’s just a matter of time.

It gets worse.

The social engineering underpinning phishing attacks is even evolving quicker than the technology, warns Bottomley.

Ross Murray, Bendigo Bank’s senior manager of online solutions agrees. “There is no doubt the criminals have become more sophisticated – six months ago, the hoax e-mails were even written in ‘pidgin’ English; today, they are pretty well spot-on with the ‘bank lingo’. These e-mails have also become more believable in content. We have even seen hoax security warnings.”

NAB’s Bottomley says another area of steadily improving sophistication centres on the recruitment of the mules and the couriers.

“The Trojan fraud comes in two parts. First, the attacker has to get the money out of your account. And once it’s out, they have to do something with it.”

The latest trick in Australia involves online recruitment sites.

Bottomley says phishers advertise for a local partner on the basis that they are a legitimate company setting up in Australia requiring an agent to manage their transactions during the transition.

Thus have some of Australia’s best-known media companies become unwitting accomplices to fraud.

EducateThe key players in the war against Internet fraud are not technologists or security specialists; they are marketers.

Education is the critical first line of defence. According to David Bell, CEO of the Australian Bankers’ Association (ABA): “All banks are working on educating customers and businesses regarding security and becoming cyber savvy.”

He points out many banks offer security guides on their Web sites and provide customers with advice that can mitigate the risk of attack.

Westpac’s strategy included a national advertising campaign earlier this year. Bank spokesperson Julia Quinn told MIS Westpac “had been very active in educating customers about threats. That activity is now feeding back into the bank with customers now much more likely to report activity they consider suspicious”.

Other banks say they have noticed a similar trend.

ANZ Banking Group’s Kate Gore says, “We have a key role in terms of education about Internet banking security – through our Web site, and through making sure call centre and branch staff are informed so they can adequately deal with customer concerns and queries”.

CollaborateIt is important to keep a sense of perspective. Criminal activity by its nature is clandestine, isolated and insecure. Even the best-resourced syndicates have but a quantum of the technology and skill sets at the disposal of even a single bank. On top of that, the banking sector in Australia has moved quickly to pool its resources.

Indeed, one of the most impressive aspects in the cyber crime space is how quickly and easily companies who would like nothing more than to devastate their competitors in the marketplace, have collaborated to counter the common threat.

MIS understands one of the Big Four banks has for several months been deploying a search bot to identify phishing sites targetting Australian institutions. When it finds them, it shares the information with its competitors.

At the formal level, the most obvious manifestation of collaboration can be found within the AHTCC, which operates out of the Australian Federal Police facilities in Canberra.

Westpac and ANZ confirm they have staff at the AHTCC and NAB’s representative will be joining shortly. All major Australian banks are expected to have staff attached to the centre by the end of the year.

Each of the state police forces have people seconded to the centre, while organisations like AusCERT are regarded as strategic partners.

There is also some very heavy artillery on call in the form of the Defence Signals Directorate (DSD). AHTCC’s Phelan confirms DSD’s relationship with the AHTCC, saying, “While I would rather not talk about the role of individual agencies, certainly they are part of the High Tech Crime Centre and, certainly, if we need to utilise their specific skills, then we do so from time to time”.

One of the DSD’s specific skills is e-mail interception via the classified Echelon network, which is believed to monitor the vast majority of the world’s e-mail flow each day in partnership with other spy outfits overseas.

The AHTCC also works closely with overseas partners including the London High Tech Crime Centre, the FBI and the US Secret Service, according to Phelan.

AuthenticationEducation and collaboration are essential, but their benefits are to be found mostly in the long term. Banks also have to deal with the barbarians already at the gates.

The answer they are all looking at today is two-factor authentication, which is an additional step independent of login and password that effectively can’t be hacked.

The move to implement two-factor authentication has taken on renewed urgency as the phishers’ sophistication increases.

For instance, in the 18 months prior to July this year, Westpac issued only 15,000 RSA tokens, mostly to business customers. In the next four months, it will issue an additional 60,000.

Bendigo Bank, with more than 100,000 registered Internet banking customers is going even further, becoming the first bank in Australia to make two-factor authentication mandatory.

“The tokens will be gradually rolled out to all e-banking customers, a process that will take some months,” says Moss.

While tokens are perhaps the best-known form of two-factor authentication currently in use, they are certainly not the only option.

The National Australia Bank has opted for a solution based around short message service (SMS), a technique that is increasingly popular in Asia and currently being utilised by banks such as the HSBC in Singapore.

The NAB system sends a one-off, randomly generated password to the customer, who then keys it into their payment authorisation screen to confirm the legitimacy of that transaction.

ANZ meanwhile takes a different approach again. It provides smartcards for two-factor authentication, but only for its corporate customers.

A shadowy enemy is out there right now, probing for weaknesses and growing smarter every day. And the opportunities for villainy only increase every week as more customers register to bank online and broadband becomes ubiquitous.

To stop them, the banks must cooperate not only with law enforcement, but also just as importantly with each other. In the end, the banks will win not by eliminating phishing but by inoculating their customers and their systems against the threat.

They know they must. They have moved too far so fast that now there is no alternative.

Crime stoppers

The formal collaborative frameworks established by Australia’s banking institutions and law enforcement agencies are regarded as world beating, but there is another area where Australia is apparently setting a trend.

Many of the chief security or senior security executives working in computer security in Australia’s banks come from a law enforcement background.

According to Symantec’s senior director of development worldwide, Vincent Weafer, “Outside of Australia you don’t see a lot of examples of that move.

“I would say Australia is further ahead in that area but we believe it is an emerging trend as companies are looking for CSOs who come from something other than an IT background.”

John Geurts at the Commonwealth Bank, Ken Day at the National Australia Bank (NAB) and Theo Nassiokas at Westpac all fit the bill.

NAB’s Day along with Neil Campbell, now at Dimension Data, and Ervin Visic, now at Securix, all left the Australian Federal Police (AFP) on the same day six years ago to establish the country’s first commercial computer forensic practice at Arthur Andersen. All three originally helped build the AFP’s Computer Fraud Detection Unit in 1990.

Their move sparked a rash of similar resignations in other law enforcement branches as the other major accounting companies followed Andersen’s lead.

Computer forensics is the collection, analysis and presentation of computer-based or electronic evidence in such a way that it has a high chance of being accepted by a court of law, says Campbell.

“Anyone can gather information about what has happened. But gathering it in such a way that you can meet the rules of evidence, well, that is where the expertise comes in,” says Campbell.

Another high-profile and now former copper is Alistair MacGibbon, until recently the head of the Australian High Tech Crime Centre and now eBay’s head of security.

The banks are reticent to let their star recruits loose to comment. The NAB made it clear it preferred MIS not mention Ken Day at all. The others we approached declined to comment about their top security people. Only the Bendigo Bank, where former Victorian Detective David Harley is the senior manager, Fraud Prevention and Control, seemed comfortable letting its man out of the box.

Harley spent four years with Westpac after leaving the police force, where he worked for 15 years. Asked about the attractions of his new career over his former one he joked: “Better pay, regular hours, less dead bodies and no one is trying to kill you”.